Network Firewalls, Network Access Control
,
Security Operations
Guidance Intended to Help Companies Detect Compromises Faster

Countries forming the Five Eyes intelligence alliance outlined Tuesday minimum security requirements that edge device vendors should follow to enable swifter forensics analysis in the wake of cyberattacks.
See Also: Future-Proofing Your Proxy Architecture
Edge devices have become the repeated target of nation-state and advanced financially motivated hackers as attackers exploit network edge devices’ general opacity to cyber defenders, always-on status and trusted position within corporate intranets.
“By following the minimum levels of observability and digital forensics baselines outlined in this guidance, device manufacturers and their customers will be better equipped to detect and identify malicious activity against their solution,” said U.S., Australian, British, Canadian and New Zealand cyber agencies.
Key recommendations include:
- Login requirements: Support threat detection by collecting logs on authentication using usernames and passwords. To enable quicker forensic analysis if a compromise has already occurred, collect timestamps on device boots and reboots. Raise alerts if there is a failure with the network time protocol.
- Remote capabilities: Ensure real-time log transfer capabilities using transport layer security encryption that could be ingested in a machine-readable format. Generate “keep-alive” messages containing information on device numbers and GUID as a default device set-up.
- Volatile data collection: To enable automatic analysis, collect volatile data such as memory maps, dynamically loaded modules, and environment variables.
- Non-volatile data collection: System owners should ensure non-volatile storage collection by decrypting the contents of the stored data to facilitate its examination.
The agencies further recommended companies adopt secure-by-design principles (see: Technology Giants Join CISA’s Secure by Design Pledge).
Chinese threat groups have been at the forefront of attacks against edge devices, including campaigns against edge device vendors Sophos and Fortinet.
“These are guidelines that shouldn’t be ignored because when edge devices are insecure, the entire networks they run within are at heightened exposure to attack,” said Juliette Hudson, CTO of security firm CybaVerse. “Given that hospitals, [critical national infrastructure] and businesses heavily rely on third-party devices for core functions of their operations, these need to be secure,” Hudson added.